Accurics, the ‘code-to-cloud’ security specialist, came out of stealth mode to announce the formal launch of the company. It introduced technology that protects the cloud native infrastructure throughout the DevOps lifecycle, and reconciles risk posture drift between infrastructure defined through code and infrastructure running in the cloud.
These advances are critical as organizations rapidly embrace new technologies such as serverless, containers, and service mesh. The company has received $5mm in financial backing from blue-chip investors such as ClearSky, WestWave Capital, Firebolt Ventures and Secure Octane.
“While the rapid adoption of cloud native technologies is fueling innovation, organizations are grappling with the challenges of securing more complex cloud stacks,” said Accurics Co-founder & CEO Sachin Aggarwal.
“Risks in cloud deployments often go ignored due to the fact that detecting and fixing issues in production is costly. Organizations need a broader approach, in effect, ‘code-to-cloud’ security. That means seamless governance of infrastructure during development and in production, protection across the full cloud stack, monitoring for any posture ‘drift’ and swift return to a clean posture. Accurics is proud to introduce a dynamic platform that takes on all of these challenges with ease, speed and cost-effectiveness.”
The need for this solution is undeniable: Even as cloud deployments gain in popularity and importance—it’s reported that the global market is set to top $623 billion by 2023, representing a compound annual growth rate (CAGR) of 18%—there are still multiple challenges related to security, including:
- Complexity: Advances such as serverless, containers and service mesh involve multiple management interfaces, significantly increasing the risk of manual errors; the adoption of hybrid and multi-cloud deployments further amplify the problem.
- Consistency: Technologies such as Terraform, Kubernetes, Docker and OpenFaaS provision and manage infrastructure through code and reduce manual errors, but make it difficult to maintain consistent governance across the full stack.
- Drift: In dynamic cloud environments, very little is locked down—privileged users can make changes to the cloud infrastructure in production, and even legitimate changes can cause a drift from the intended compliance and security posture and introduce risks.
Meanwhile, most current options lack a comprehensive defense. For example, first generation Cloud Security Posture Management (CSPM) solutions focus primarily on assuring governance in production, which is far too late.
In contrast, there are disparate tools that can be embedded earlier in the DevOps lifecycle but they only protect parts of the cloud native stack and solve point problems such as infrastructure as code scanning and vulnerability management. More importantly, these solutions can’t reconcile any posture drifts in production from a baseline defined through code.
“Securing cloud infrastructure is highly complex because an increasing number of dependencies are involved, and different actors using different tools play a role in protecting it,” said Paula Musich, research director at Enterprise Management Associates, a leading industry analyst firm based in Boulder, CO that provides deep insight across the full spectrum of information technologies.
“While a number of startups and established security vendors are attempting to solve specific issues, such as scanning reusable code for vulnerabilities or managing access to applications and data, piecemeal approaches that require different consoles only increase the chaos.
“What’s needed is a single tool to manage risks and policy violations early in the DevOps lifecycle and ensure that the original configuration intended by the developer remains true (and secure) once it leaves their hand and goes into production. This is the broader problem Accurics is solving, and it should give IT executives greater confidence in their ability to properly secure cloud infrastructure.”
Talha Tariq, an advisor to Accurics who currently holds the position of chief security officer at HashiCorp, a leader in multi-cloud infrastructure automation software whose open source tools are downloaded tens of millions of times a year and are broadly adopted by the Global 2000 said: “While infrastructure as code enables agility and reliability, it also provides an opportunity to embed security earlier in the DevOps lifecycle. Accurics reduces the attack surface by detecting risks in code before infrastructure is provisioned and flags changes to production that may introduce security posture drift.”
Code-to-cloud security: The Accurics advantage
“Our goal in developing the Accurics platform was to protect the full cloud native stack throughout the DevOps lifecycle, from the moment it’s defined in code and throughout the lifecycle of infrastructure being employed in production,” said Accurics Co-founder & CTO, Piyush Sharrma.
“Perhaps most importantly, we prevent the risk posture in production drifting away from the baseline defined through code. That’s the only way to ensure consistently strong protection that enables organizations to innovate with confidence.”
Accurics meets the specific needs of both DevOps and security by addressing specific challenges. These encompass:
- Breach path prediction: The platform develops threat models by analyzing vulnerability feeds, IAM privileges, and other data to detect and remediate potential exposure paths in infrastructure code, reducing the attack surface in production. It subsequently monitors production for changes that introduce risks, and responds immediately via integrations with existing remediation workflows.
- Proactive compliance & governance: Accurics scans infrastructure as code for violations of common compliance and cybersecurity practices—such as SOC 2, GDPR, PCI, HIPAA, ISO, CIS Benchmark, AWS Best Practices and the AWS well-architected framework—and addresses violations through integrations with existing remediation workflows. This ensures a compliant posture before the infrastructure is provisioned. Production cloud deployments are then monitored against the same policies, and changes that cause violations are remediated. This enables organizations to demonstrate continuous compliance to auditors, management, and customers.
- Cloud integrity assurance: Accurics generates a real-time topology across the full stack defined through code, which helps spot design issues early in the DevOps lifecycle. Once the issues are addressed, the code is established as a baseline. The platform then continuously assesses the production cloud deployment for changes in topology from the baseline and flags drifts. If the drift is due to a legitimate change, the code can be updated, and if it introduces risks, organizations can roll their code back to the last known secure posture.
LendingClub’s Chief Data Officer and Head of Cyber Risk Management, Paolo Montini, commented, “When it comes to protecting data, either from an information security perspective or to comply with regulatory requirements such as PCI, GDPR, or HIPAA, the majority of key controls are managed through configuration.
“Accurics continuously monitors infrastructure code as well as production cloud deployments for changes that introduce misconfigurations and policy violations.” LendingClub is the world’s largest peer-to-peer lending platform.
Leaders and visionaries
The core management team at Accurics includes:
- Sachin Aggarwal, Co-founder & CEO: He brings to his new venture a long history of launching successful startups – Accurics is the fifth company he’s founded. Among other milestones, he previously founded and led Layered Insight, which was subsequently acquired by Qualys; Jvion, which was acquired by JMI Equity; and Aqreva, which was acquired by Invision Capital. He has also served on the boards of Reventics, the provider engagement company, and other tech start-ups.
- Piyush Sharrma, Co-founder & CTO: He has two decades’ experience in cloud, endpoint, and information security technologies, and has helped launch numerous enterprise products. He was most recently Head of Engineering at Symantec, where he led the release of seven new products with a combined revenue of more than $500 million. He is also an inventor with five patents filed and was a member of Symantec’s patent review committee.
- Upa Campbell, Chief Strategy & Marketing Officer: She’s a seasoned executive with demonstrated success in marketing, product management, and engineering, and domain expertise in cloud, security, and network technologies. She was most recently VP of Marketing at Palo Alto Networks, and previously held similar roles at RedLock, which was acquired by Palo Alto Networks, and Palerra, acquired by Oracle Corp.
“There are many security technology startups, but the most successful of these feature a perfect blend of market need, strong management, strategic vision, innovation and ability to execute. That’s what we see in Accurics,” said Patrick Heim, Partner & CISO at ClearSky, a venture capital / growth equity firm with a philosophy of investing in enterprises that offer transformative security, privacy, and compliance solutions.
Heim continued: “Accurics comes to market with a sophisticated and distinctive approach that protects cloud infrastructure throughout the DevOps lifecycle. This boosts compliance, governance and security across the full cloud native stack in hybrid and multi-cloud environments. We believe the company has a great future, and we’re excited to offer our support and guidance.”
This team has led the development of an innovative platform that protects hybrid and multi-cloud environments with a wide range of capabilities, including:
- Full stack visibility: Visualizes the real-time topology in code and cloud across a full stack, including serverless, container, platform and infrastructure technologies.
- Infrastructure as code security: Continuously scans infrastructure code such as Terraform, Ansible, Kubernetes YAML, Dockerfile and OpenFaaS YAML for misconfigurations, vulnerabilities, policy violations, and potential breach paths before the cloud infrastructure is provisioned.
- Cloud posture management: Continuously monitors production cloud deployments for changes that introduce misconfigurations, policy violations, and potential breach paths.
- Drift detection: Continuously assesses the posture of a cloud deployment and flags any drifts from the posture defined through code.
- Posture restoration: If a drift is due to a legitimate change, the code can be updated to reflect the change; if it introduces risks, the code can be restored to the last known secure posture.
- Remediation: Resolves issues that are flagged via integrations with alert management mechanisms such as Slack, JIRA, Splunk, webhooks and email.
The market is clearly primed for these capabilities. As Al Ghous, Chief Security Officer at ServiceMax, the global market-leader in Service Execution Management that processes more than two million work orders each month and services over 200 million equipment units, stated, “We no longer provision a server, install an operating system or configure an application. It is all done through configuration scripts.”
He concludes, “Accurics helps organizations get visibility into these configuration scripts to make sure they are secure and compliant.”